" /> kasia in a nutshell: February 2005 Archives

« January 2005 | Main | March 2005 »

February 16, 2005

Don't code before having coffee

I was testing a new blog-spam detection script this morning and generated the same kind of hits a spammer would do on my blog, tested the script, all great, turned the script on, left for work.

Came home from work, sat down to check my email and noticed I can't get to my server. Checked traceroute.. times out at the gateway.. hmm.. odd.. Other people can get to it, how strange.. Logged in on a console, everything is working and people are using it. Yep, sure enough, I banned my own bloody IP using my spammer detection script. Hey, at least I know it works well.

Thank god for a remote console..

Posted by kasia at 06:01 PM | | Comments (6)

February 15, 2005

Free spammers to a good home

Ever since I started posting these lists my blog has become a very popular place to spam. I can only assume spammers like to be advertised and I love to help with that worthy goal.. hence 202 brand new IP list additions. I will automate this.. promise. Btw, you, the persistent spammer that comes back daily with a new set of IPs, your script has a fatal flaw that makes it easy to detect but I'm not telling you what! This will bug you now :)

  1. Entire list
    Entire list with iptables syntax
  2. New additions since last list
    New additions with iptables syntax
  3. Previous posting

Posted by kasia at 10:59 PM | | Comments (0)

MLB buys Tickets.com

My former employer, Tickets.com is being purchased by MLB.

I hope this doesn't mean that they will close down the CT office completely, that would be bad for my former co-workers!

Posted by kasia at 08:47 PM | | Comments (0)

February 14, 2005

Feedback of the week

Whenever you publish an email address on the Internet with an inviting caption like "send us your feedback" you will get all sorts of weirdness. We're used to that at dslreports and occasionally publish news articles pointing out some of the weirder stuff.. but this is the first one that actually made me want to blog it myself. Well, it is rather urgent:

Left as 'site feedback' on dslreports.com:

I was trying to back out of the garage and these shaw people just blocked the entrance, I asked them kindly to move and they were being nasty and said "I'm up here and blah blah blah - anyways I'm lazy to everything packed and get down then get up there again" their liscence plate is 2315 XE, please tell them not to do that next time or towing will be a result! *this is a warning*

Posted by kasia at 09:20 PM | | Comments (1) | TrackBacks (1)

Ahh... Verizon

I don't who is in charge of Verizon's mail servers, but they need help, now. A few days ago, a few users of dslreports complained that they are not receiving any email from us. Things like password reminders, notifications they asked for, etc.. It's not spam they're missing but legitimate mail. After checking the logs and seeing nothing but tons of time outs trying to connect to verizon's mail servers I did the very first step any admin would take, mainly:

$ dig verizon.net mx

;; ANSWER SECTION:
verizon.net. 13452 IN MX 0 relay.verizon.net.

okay..

telnet relay.verizon.net 25
Trying 206.46.170.12...

That was from the dslreports mail server.. hmm... could be Verizon's server is down?

$ ping relay.verizon.net
PING relay.verizon.net (206.46.170.12) 56(84) bytes of data.
64 bytes from relay.gte.net (206.46.170.12): icmp_seq=1 ttl=243 time=44.9 ms
64 bytes from relay.gte.net (206.46.170.12): icmp_seq=2 ttl=243 time=44.7 ms

--- relay.verizon.net ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1010ms

rtt min/avg/max/mdev = 44.751/44.833/44.916/0.227 ms

Well.. the server is obviously up, but is the mail server? From another host:

$ telnet relay.verizon.net 25
Trying 206.46.170.12...
Connected to relay.gte.net (206.46.170.12).
Escape character is '^]'.
220 sc002pub.verizon.net MailPass SMTP server v1.1.1 - 121803235448JY ready Mon, 14 Feb 2005 18:08:02 -0600

Well.. gee.. look at that, Verizon is obviously filtering out mail.dslreports.com and not allowing us any connections. Blacklists? Nope, clean as a whistle (btw, Derek, yours is consistently timing out from that site).

I emailed the typical addresses one would try to contact a mail admin.. nothing.. no reply, no acknowledgment, no bounce.. great.. In the meantime some of our users started asking Verizon. As customers they have a bit more leeway than I.. Here's what Verizon came back with:

said by Verizon Online Support Center:

Verizon will not accept mail from senders that are not recognized on the senders mail system as a recipient. This is a problem on dslreport's side and will need to be corrected before mail from this address will be accepted.

The domains that are being looked into for you are not part of any blacklisting issue, but rather a part of a Sender Verify process. A While [sic] ago, servers were installed to verify sender e-mail addresses. All sites would need to be sender verified. if a sender is not valid, or their domain has not been validated, the message will be returned back to them. Any site that is not set up for sender verification will be allowed to pass through our system.

Thank you.

I explained to the user how there is no way they could have tried to verify the sender (although that would have failed, this was one of our bounce addresses) since they never even attempted to accept the message.. kind of hard to do that without basics..like say.. server handshakes or maybe a connection?

They had a nice reply back:

said by un-named Verizon Online Support Agent:

I have passed the information along to our engineers. It seems that you have not understood our explanation of the Sender Verification process. I would suggest that you feel free to research this for yourself. You will see that the Sender Verification process is actually an industry standard.

Industry standard.. erm... whatever.. how is that connection doing? Right.. none.. and apparently they're working with us on it too! Funny, I didn't notice. Not a peep, none. Great job Verizon, way to serve your customers.. I've some gmail invites for all you poor Verizon users.

At this point, I'm guessing (this is really a guess) that they have some sort of limit of how many mails they will bounce based on failed sender verify and then blacklist the host.

Posted by kasia at 07:22 PM | | Comments (6)

February 05, 2005

More bad guys IPs

Bad guys really like my server lately, in the last couple of days I have seen three attempted attacks on my server with trackback floods from 74 unique IPs. Most are probably open proxies, trojaned machines or who-the-heck-knows-what, but still bad guys.

So.. a choice of:

  1. Entire list
    Entire list with iptables syntax
  2. New additions since last list
    New additions with iptables syntax
  3. Original list
    Original list with iptables syntax

I'm working on automating the collection and retrieval of these based on some clever rules.

Posted by kasia at 12:52 PM | | Comments (3)

Controlling spam with postfix

Steve has a pretty good tip on rejecting spammers with Postfix HELO controls.

In addition to that, I also use a combination of spamassassin and header checks to drop spam at the door:

In main.cf:

header_checks = regexp:/etc/postfix/header_checks

In /etc/postfix/header_checks:

/^X-Spam-Flag:.YES/ REJECT spam


What happens here? Spamassassin adds the X-SPAM-FLAG header and postfix rejects the message based on that.. This of course is only recommended if you're certain your spam rules are not providing false positives.

Posted by kasia at 12:02 PM | | Comments (0) | TrackBacks (2)

February 02, 2005

Bad guys IPs

Here is a list of IP addresses that are either spamming comments or spamming referrer logs. These are all from my apache logs and everyone is either a trojaned machine or just a bad guy.

IP list alone.
IP list in handy iptables drop commands.

Posted by kasia at 06:28 PM | | Comments (5) | TrackBacks (1)